778 reports
WOO X suffered a $14 million breach after a targeted phishing attack compromised a team member’s device and exposed access to the development environment. The attacker used that access to reach hot-wallet-related systems and coordinate withdrawals across …
TraderTraitor is presented as a North Korean financially motivated activity cluster focused on stealing cryptocurrency and other digital assets from blockchain and cloud-connected organizations. The excerpt ties the cluster to Lazarus Group, APT38, BlueNo…
InvisibleFerret is described as a Python-based backdoor used by Lazarus Group or Famous Chollima in Contagious Interview operations against developers, cryptocurrency workers, finance targets, and other technology professionals. The infection chain relies…
CSIS describes how North Korea uses third countries including China, Russia and Southeast Asian states to support cyber operations, cryptocurrency theft, sanctions evasion and intelligence collection. The report says DPRK operators route activity through …
A Korean analysis examines a suspected Kimsuky-linked Excel malware sample disguised as a bonus calculation spreadsheet. The workbook uses macros to read a download URL from Sheet1 cell A10001, escape command characters, and invoke curl through cmd.exe to…
Christina Marie Chapman was sentenced to 102 months in prison for helping North Korean IT workers obtain remote jobs at more than 300 U.S. companies, generating over $17 million for Chapman and the DPRK. The scheme used stolen, borrowed, and false U.S. id…
OFAC sanctioned Korea Sobaeksu Trading Company and Kim Se Un, Jo Kyong Hun, and Myong Chol Min for supporting DPRK sanctions evasion and revenue generation, including fraudulent IT worker activity. The release says Sobaeksu operates as a front company for…
The source maps suspected North Korean IT-worker GitHub accounts and aliases around the codezs17 cluster. It links Cryptogru, formerly aidenwong812 and alternatively Donald-romeo-1100, to initial commits, then describes codez17 replacing references to cry…
The FBI warns that North Korean IT workers continue targeting U.S. businesses to obtain fraudulent employment, access company networks, and generate revenue for the DPRK in violation of U.S. and U.N. sanctions. The activity relies on identity obfuscation …
ASEC identified RokRAT distribution through malicious Hangul Word Processor documents rather than the malware's more typical LNK-based delivery chain. A North Korea grain-store-themed lure embedded ShellRunas.exe and credui.dll as OLE objects, which the H…
WhoisXML API examined a BlueNoroff attack in which victims received a Calendly-themed meeting invite over Telegram that redirected them from an expected Google Meet flow to an actor-controlled fake Zoom domain. The infection chain triggered a malicious Ap…
Validin describes upgrades to its host-response history and artifact collection, then uses the Bybit heist attributed by the FBI to North Korea's Lazarus Group as TraderTraitor to demonstrate retrospective infrastructure hunting. By searching over eight m…
Rekt attributes the CoinDCX incident to attackers who allegedly prepared the theft over several days, funding activity with 1 ETH from Tornado Cash before routing through FixedFloat, Polygon, deBridge and Solana. The article describes a July 18 drain of a…
GenDigital observed a multi-stage DeceptiveDevelopment-style attack chain that used a mock hiring assessment and fake camera-update flow to trick users into copying and running a malicious command disguised as an NVIDIA-related update. The infection downl…